Jump to content
Wubi

RFID Cooking with Mifare Classic

Recommended Posts

Posted

This article was contributed by MI1.

Contents

1 RFID Cooking with Mifare Classic
2 0x00 - Preface
2.1 Dependencies
3 0x01 - Hardware
3.1 Touchatag - ACR122U
4 0x02 - Software
4.1 ACR122U driver
4.2 Open Source Near Field Communication (NFC) Library /LIBNFC/
4.3 MFOC -Mifare Classic Offline Cracker
5 0x03 - Dumping & Cooking
6 0x04 – ISIC Issue
7 0x06 – Conclusion
8 0x07 – What's next?
9 0x08 – Thanks
10 0x09 – References & Links
11 0x0A - About

RFID Cooking with Mifare Classic


600px-Cooking-with-mifare-classic.png

DISCLAIMER: The information and reference implementation is provided:

  • For informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
  • As-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
  • NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, public transport, University/ISIC cards, building access systems or whatsoever systems using Mifare Classic as core technology)

NOTES:

  • This article contain no original research. All the research and implementation was made by other people and communities and is publicly available. We made this two cents just for fun and because we love BackTrack.
  • This is not A-Z guide so try harder!

0x00 - Preface


Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contact less payment systems (including tollway and public transportation systems). By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.

Backtrack-5-touchatag-mini.jpg

Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or 4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits keys. There is no protection against cloning or modifications. Anyone with 50 € reader can use this weakness against your infrastructure. At least one sector is always encrypted with default key. After cracking all keys, hackers are able to change name, students university number, expiration date... This cookbook is proof of concept how easy that can be done. Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2, BackTrack 5 Final, (32bit)

Dependencies

root@bt:~# [COLOR="#FF0000"]apt-get install flex libpcsclite-dev libusb-dev checkinstall[/COLOR]

0x01 - Hardware


Touchatag - ACR122U

Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at 13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when used with the Touchatag RFID tags. This product is made by Advanced Card Systems Limited and seems to be available in different layouts but hardware doesn't differ so much. They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit.

0x02 - Software


ACR122U driver

root@bt:~# [COLOR="#FF0000"]wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip[/COLOR] 
root@bt:~# [COLOR="#FF0000"]unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip[/COLOR]
root@bt:~# [COLOR="#FF0000"]cd acr122u[/COLOR]
root@bt:~# [COLOR="#FF0000"]tar -jxvf acsccid-1.0.2.tar.bz2[/COLOR]
root@bt:~# [COLOR="#FF0000"]cd acsccid-1.0.2[/COLOR]
root@bt:~# [COLOR="#FF0000"]./configure[/COLOR]
root@bt:~# [COLOR="#FF0000"]make [/COLOR]
root@bt:~# checkinstall -D -y --install

Open Source Near Field Communication (NFC) Library /LIBNFC/

Libnfc is the first free NFC SDK and Programmers API released under the GNU Lesser General Public License.

root@bt:~# [COLOR="#FF0000"]apt-get install -y debhelper libtool && wget http://libnfc.googlecode.com/files/libnfc-1.4.2.tar.gz [/COLOR]
root@bt:~# [COLOR="#FF0000"]tar xfvz libnfc-1.4.2.tar.gz &&cd libnfc-1.4.2[/COLOR]
root@bt:~# [COLOR="#FF0000"]svn checkout http://libnfc.googlecode.com/svn/tags/libnfc-1.4.2/debian[/COLOR]
root@bt:~# [COLOR="#FF0000"]dpkg-buildpackage -rfakeroot[/COLOR]
root@bt:~# [COLOR="#FF0000"]dpkg -i ../libnfc*.deb[/COLOR]

Check your reader / target with nfc-list.

root@bt:~# [COLOR="#FF0000"]nfc-list[/COLOR] 
nfc-list use libnfc 1.4.2 (r891)
Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 - PN532 v1.6 (0x07)
1 ISO14443A passive target(s) was found:
ATQA(SENS_RES):00 02
UID (NFCID1): xx xx xx xx
SAK (SEL_RES): 18

If your reader is rejected because of the firmware (log message: „Firmware (x.y) is bogus!“) just disable version checking. All you need to do is change ifdDriverOptions (line 55 in Info.plist) to skip version checking like this:

root@bt:~# [COLOR="#FF0000"]nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist[/COLOR]
ifdDriverOptions
0×0005

Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and ready.

MFOC -Mifare Classic Offline Cracker

Mifare Classic Offline Cracker is a tool that can recover keys from Mifare Classic cards. Thanks to Norbert Szetei and Pavol Luptak for their attack's implementation. MFOC is utility to compute (crack) all keys (A and B) to all sectors, providing at least one of the keys is already known. Keys file is the file, where mfoc will store cracked keys. Format of that file is compatible with nfc-mfclassic, so you can then use it to dump the card into file, or write a dump onto the card.

root@bt:~# [COLOR="#FF0000"]wget http://nfc-tools.googlecode.com/files/mfoc-0.10.2.tar.gz && tar -xvzf mfoc-0.10.2.tar.gz[/COLOR] 
root@bt:~# [COLOR="#FF0000"]cd mfoc-0.10.2[/COLOR]
root@bt:~# [COLOR="#FF0000"]autoreconf -vis[/COLOR]
root@bt:~# [COLOR="#FF0000"]./configure [/COLOR]
root@bt:~# [COLOR="#FF0000"]make[/COLOR]
root@bt:~# [COLOR="#FF0000"]checkinstall -D -y --install[/COLOR]

0x03 - Dumping & Cooking


psscd coordinates the loading of drivers for card readers. It allows applications to access smart cards and readers without knowing details of the card or reader. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system. I prefer start pcscd in foreground (no daemon) with pcscd -f. Then it's time to start mfoc. Use high number of probes, because default number of probes for a key recovery for one sector is 20. Whole cracking could take from 30 minutes to 30 hours.

Mfoc-mifare-dump.png

Mfoc-mifare-dump3.png

Mfoc-mifare-dump1.png

Mfoc-mifare-dump4.png

Mfoc-mifare-dump5.png

You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. The -k option somehow didn't work for me, so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare Classic keys” Not sure about other countries, but in country where I live keys are the same. Once you have keys from all sectors, you should be able to use RFID-Fu against other cards, which is epic fail.

root@bt:~# [COLOR="#FF0000"]nfc-mfclassic --help [/COLOR]
Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>]
r|w - Perform read from (r) or write to (w) card
a|b - Use A or B keys for action
<dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
<keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)
Or: nfc-mfclassic x <dump.mfd> <payload.bin>
x - Extract payload (data blocks) from MFD
<dump.mfd> - MiFare Dump (MFD) that contains wanted payload
<payload.bin> - Binary file where payload will be extracted

Mifare-write.png

Keep in mind that card UID will be not affected (not changed) with this process. Buy some blank card or Proxmark III if that is what you want. If you are now thinking about dumping your electronic wallet right after recharge and when credit comes to zero, writing content back, then please don't do it. What can stop you from doing that? Well, probably only your conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes, there are online checking and billing systems out there for basic cards.

0x04 – ISIC Issue


With ISIC- International Student Identity Card attacker can abuse around ten service not only one. ISIC cards are widely used for entrance, transportation, dining payments and various others services or discounts. According to homepage there are 4.5 million cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is possible to do much more than that, but sufficient for demonstration let's play a little...

Hexedit-mifare.png

At some universities, there is only one entry security check – ISIC. As you can see this is trivial to bypass. We did many tests with public transportation systems and with university systems. Results are all the same – those systems are easily hackable.

Rfid-kiosk.jpg

0x06 – Conclusion


Finally, when will people learn their lesson? Cryptographic algorithms should be public so that they can be scrutinized and tested. Secret algorithms aren’t more valuable because they are secret. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption.

0x07 – What's next?


  • Since i have access to Proxmark III which is universal RFID hacking tool which can be used for 100% accurate cloning (even UID), i may once write second edition about c00king with Mifare Classic and HID Prox...
  • Arming BackTrack with GSM attack suite?

0x08 – Thanks


This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back.

0x09 – References & Links


For further reading about this topic please see following:

0x0A - About


MI1 is a "full time security enthusiast" with university degree in the field of informatics. Recently focusing his passion to USRP and RFID stuff.

Sursa: RFID Cooking with Mifare Classic - BackTrack Linux

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...